Home » Php » php – Session injection?

php – Session injection?

Posted by: admin July 12, 2020 Leave a comment

Questions:

How should I host the id of the user on the session? just to insert the id? I mean (for example):

$_SESSION['id'] = 1;

There isn’t a way to change it by the user himself (as cookie..)? Because if so, he can change to any id.

One more question about it – how can I check if user is logged in (with sessions)? I created a session:

$_SESSION['is_logged_in'] = true;

Again, can’t the user just create a session which his name is ‘is_logged_in’ and his value is true? or just the server has a control about the value of the server?

How to&Answers:

All session variables in PHP are stored server side.
The client stores a cookie that references which session should be used, and then the server looks up the values for the session.
It is safe to store is_logged_in in your session as well as the user id.

What you should be aware of is if another user gets a hold of another user’s session cookie, they will be able to imitate that user until the session times out. One simple solution is to link sessions to IPs.